H3-2026-0021¶

Azure Container Registry Anonymous Pull Enabled

Description¶

Where an Azure Container Registry is configured to allow anonymous (unauthenticated) pull access, users can pull container images without any credentials.

Impact¶

Attackers can access all container images stored in the registry without authentication. This might expose sensitive application code, proprietary algorithms, embedded secrets, API keys, certificates, or internal infrastructure details. Public exposure of private images can lead to intellectual property theft and credential compromise.

References¶

• Azure Container Registry: Anonymous pull access
• Container Registry Authentication
• MITRE ATT&CK Technique: T1552: Unsecured Credentials
• MITRE ATT&CK Technique: T1213: Data from Information Repositories